Splunk Search

How to write regex for search or index time field extractions?

smudge797
Path Finder

Im trying to get search time field extractions (or index time) on the following log format:

2014-06-11T09:32:45.545-07:00 - INFO
RequestType:SFPR
UniqueRequestGUID:0e160f29-d75b-49dd-b966-4d93678d0590
SessionGUID:826e14ab-df0f-41c8-b874-13d17dd0b655
ProductType:PACKAGE
TPID:6
EPID:0
PGPR_PIID:f4669df2-e9af-429c-8b9d-b1b4aa136d9e-0
PGPR_ConnOpen:1
PGPR_Ser:2
PGPR_RequestDuration:25
PGPR_Des:2
RequestDuration:30

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Seems like fairly straightforward key-value extraction, try this:

props.conf

[your_sourcetype]
REPORT-kv = key_colon_value

transforms.conf

[key_colon_value]
REGEX = ^(?<_KEY_1>\w+):(?<_VAL_1>.*)$

Make sure my use of start- and end-of-line anchors works correctly without specifying any flags such as (?m) or (?s), I frequently mix those up 🙂

0 Karma

somesoni2
Revered Legend

Try this as transform REGEX.

\s*(?<KEY_1>[a-zA-Z\]+):(?<_VAL_1>[^\s]*)

0 Karma

smudge797
Path Finder

Do i not need something extra to have the : appear as a =
So ProductType:PACKAGE would be ProductType=PACKAGE

0 Karma

smudge797
Path Finder

Thanks Martin..
interesting, it does not appear to be working. Can you expand on the anchor points?
Maybe i am mixing them up!

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...